0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/332 Thanks! 1 00:00:09,560 --> 00:00:10,560 Thank you. 2 00:00:12,380 --> 00:00:14,569 I hope I will calm them soon, so I'm 3 00:00:14,570 --> 00:00:17,719 able actually to operate, so let's try. 4 00:00:17,720 --> 00:00:19,879 So first of all, we will 5 00:00:19,880 --> 00:00:22,099 have a shared history lesson 6 00:00:22,100 --> 00:00:24,229 about the platform processes 7 00:00:24,230 --> 00:00:26,329 and the history of the 8 00:00:26,330 --> 00:00:27,829 platform protesters. 9 00:00:27,830 --> 00:00:29,929 Then obviously, we will have a look how 10 00:00:29,930 --> 00:00:31,669 it looks today. 11 00:00:31,670 --> 00:00:33,829 And most of the lecture we will 12 00:00:33,830 --> 00:00:35,959 spend together doing the 13 00:00:35,960 --> 00:00:38,239 hardware and the analyzes of 14 00:00:38,240 --> 00:00:39,649 the ecosystem management unit. 15 00:00:41,210 --> 00:00:44,089 And so 16 00:00:44,090 --> 00:00:45,319 excited, six protester. 17 00:00:45,320 --> 00:00:47,689 As you might know, it is quite 18 00:00:47,690 --> 00:00:50,629 old process from late 70s. 19 00:00:50,630 --> 00:00:52,729 And what is interesting 20 00:00:52,730 --> 00:00:55,159 is that this protester always 21 00:00:55,160 --> 00:00:57,439 had a little small protesters, 22 00:00:57,440 --> 00:00:59,479 which we try to help helping think big 23 00:00:59,480 --> 00:01:00,480 speak protester. 24 00:01:02,720 --> 00:01:05,659 It is really quite all the time 25 00:01:05,660 --> 00:01:07,939 from nineteen eighty four 26 00:01:07,940 --> 00:01:10,939 and also nineteen eighty three. 27 00:01:10,940 --> 00:01:13,009 Those protesters were the platform 28 00:01:13,010 --> 00:01:15,319 protesters without possibility 29 00:01:15,320 --> 00:01:17,609 to change the firmware, but they 30 00:01:17,610 --> 00:01:19,669 had a lot of important functions 31 00:01:20,840 --> 00:01:23,029 which in that time was a keyboard 32 00:01:23,030 --> 00:01:25,669 and also the resetting 33 00:01:25,670 --> 00:01:28,249 the whole platform and the famous 34 00:01:28,250 --> 00:01:30,069 820 hardware. 35 00:01:31,130 --> 00:01:33,529 I want to just to make 36 00:01:33,530 --> 00:01:35,599 sure what is the level 37 00:01:35,600 --> 00:01:37,730 here. So who knows what is a 20? 38 00:01:39,260 --> 00:01:41,759 Great. I am at the conference, 39 00:01:41,760 --> 00:01:42,760 so it's OK. 40 00:01:44,630 --> 00:01:45,139 Yes. 41 00:01:45,140 --> 00:01:47,419 And so those 42 00:01:47,420 --> 00:01:49,309 were the first processors. 43 00:01:49,310 --> 00:01:51,409 And as you might know, the 44 00:01:51,410 --> 00:01:53,689 laptops generally also include 45 00:01:53,690 --> 00:01:55,819 one more processor, which is usually used 46 00:01:55,820 --> 00:01:58,009 for the federal management and 47 00:01:58,010 --> 00:02:00,079 plugging events and special keys 48 00:02:00,080 --> 00:02:01,159 and so on. 49 00:02:01,160 --> 00:02:04,219 And this this controller 50 00:02:04,220 --> 00:02:06,739 has has 51 00:02:06,740 --> 00:02:08,809 usually eight fifty one CPU 52 00:02:08,810 --> 00:02:10,279 or something. 53 00:02:10,280 --> 00:02:12,919 So that should be used and so on. 54 00:02:12,920 --> 00:02:15,529 So this is 55 00:02:15,530 --> 00:02:17,749 the sixth platform currently is 56 00:02:17,750 --> 00:02:19,279 using such things. 57 00:02:19,280 --> 00:02:21,869 And if we look 58 00:02:21,870 --> 00:02:24,049 how it looks, looks in today, 59 00:02:24,050 --> 00:02:26,839 that we will find that the 60 00:02:26,840 --> 00:02:29,089 we will find that the border between 61 00:02:29,090 --> 00:02:31,219 the hardware and software 62 00:02:31,220 --> 00:02:33,739 somehow diminishes a little and 63 00:02:33,740 --> 00:02:36,889 that there is a lot of firmware 64 00:02:36,890 --> 00:02:38,839 present. If you look through the Linux 65 00:02:38,840 --> 00:02:41,059 kernel, which has 66 00:02:41,060 --> 00:02:43,489 this Finbar directory or the the package, 67 00:02:43,490 --> 00:02:44,960 you will immediately spot that 68 00:02:46,050 --> 00:02:48,949 virtually any peripheral today has 69 00:02:48,950 --> 00:02:51,139 has kind of firmware 70 00:02:51,140 --> 00:02:53,029 which needs to be uploaded and to 71 00:02:53,030 --> 00:02:54,139 operate. 72 00:02:54,140 --> 00:02:56,329 But in our like to 73 00:02:56,330 --> 00:02:58,489 I would like to concentrate on 74 00:02:58,490 --> 00:03:00,859 the platform processors 75 00:03:00,860 --> 00:03:03,199 which are helping the main processor. 76 00:03:03,200 --> 00:03:05,679 And let's start with the 77 00:03:05,680 --> 00:03:08,809 with the input into the processor. 78 00:03:08,810 --> 00:03:11,179 As you might know, there is 79 00:03:11,180 --> 00:03:13,399 one which is remarkable, its 80 00:03:13,400 --> 00:03:15,139 internal management engine. 81 00:03:15,140 --> 00:03:16,280 When I was this one. 82 00:03:17,540 --> 00:03:19,759 Great. So let's go let's go 83 00:03:19,760 --> 00:03:22,069 to the AMD because maybe 84 00:03:22,070 --> 00:03:24,139 it's not such not so many 85 00:03:24,140 --> 00:03:26,539 known so 86 00:03:26,540 --> 00:03:28,669 in AMD platform, which you can buy 87 00:03:28,670 --> 00:03:31,189 today, you will find several 88 00:03:31,190 --> 00:03:32,689 other processors. 89 00:03:32,690 --> 00:03:34,579 The first one which I listed is the 90 00:03:34,580 --> 00:03:37,349 System Management Unit, which 91 00:03:37,350 --> 00:03:39,829 will be more on that 92 00:03:39,830 --> 00:03:41,029 later today. 93 00:03:41,030 --> 00:03:43,369 Then there is even a 94 00:03:43,370 --> 00:03:45,919 small eight fifty one, which is located 95 00:03:45,920 --> 00:03:47,419 in the Southbridge, which is called 96 00:03:47,420 --> 00:03:49,519 Integrated Microcontroller. 97 00:03:49,520 --> 00:03:52,459 And of course there is also 98 00:03:52,460 --> 00:03:54,529 some other controller in 99 00:03:54,530 --> 00:03:56,779 the USB, which you can 100 00:03:56,780 --> 00:03:59,059 figure out in your homework what 101 00:03:59,060 --> 00:04:00,679 kind of control it is. 102 00:04:00,680 --> 00:04:02,989 And in the end, the very recent 103 00:04:02,990 --> 00:04:05,059 AMD processor comes with 104 00:04:05,060 --> 00:04:06,709 something which is called platform, the 105 00:04:06,710 --> 00:04:08,599 security processor. 106 00:04:08,600 --> 00:04:11,089 And this processor 107 00:04:11,090 --> 00:04:13,279 is Cortex, a 108 00:04:13,280 --> 00:04:15,379 five Aveda Trussoni, I 109 00:04:15,380 --> 00:04:17,989 think. And the reason why AMD 110 00:04:17,990 --> 00:04:20,119 introduced this processor is to 111 00:04:20,120 --> 00:04:22,399 redo the chain of 112 00:04:22,400 --> 00:04:23,809 the root of the trust. 113 00:04:23,810 --> 00:04:26,119 So the idea perhaps 114 00:04:26,120 --> 00:04:29,149 behind this is to 115 00:04:29,150 --> 00:04:30,870 to have something else which 116 00:04:31,910 --> 00:04:34,159 which gives the root of the trust 117 00:04:34,160 --> 00:04:36,439 while booting the 86 processor. 118 00:04:36,440 --> 00:04:38,569 So in fact, something which verifies 119 00:04:38,570 --> 00:04:40,579 the bios before the even the BIOS is 120 00:04:40,580 --> 00:04:41,580 starting. 121 00:04:42,980 --> 00:04:44,959 But in this lecture, as I said, we will 122 00:04:44,960 --> 00:04:47,329 concentrate on the system management 123 00:04:47,330 --> 00:04:48,330 unit. 124 00:04:49,550 --> 00:04:51,709 But this is not the only 125 00:04:51,710 --> 00:04:53,959 platform which has such 126 00:04:53,960 --> 00:04:56,479 kind of special platform processors. 127 00:04:56,480 --> 00:04:58,639 If you look to our PC, 128 00:04:58,640 --> 00:05:00,709 you will notice that there are special 129 00:05:00,710 --> 00:05:03,499 channel or DMA processors which 130 00:05:03,500 --> 00:05:05,749 which are also running their 131 00:05:05,750 --> 00:05:06,750 there. 132 00:05:07,310 --> 00:05:09,089 And that here is just the. 133 00:05:09,090 --> 00:05:11,939 Funny table, I hope I have it correct, 134 00:05:11,940 --> 00:05:14,309 so I'm not aware 135 00:05:14,310 --> 00:05:16,619 if there is any malware running on 136 00:05:16,620 --> 00:05:18,749 this kind of platform processors. 137 00:05:18,750 --> 00:05:20,819 But as for today, 138 00:05:20,820 --> 00:05:22,919 I can put the platform 139 00:05:22,920 --> 00:05:24,629 processor has some bugs. 140 00:05:24,630 --> 00:05:26,069 So let's have a look. 141 00:05:27,600 --> 00:05:31,319 And to finish my introduction, 142 00:05:31,320 --> 00:05:33,869 I think it's a good, good way 143 00:05:33,870 --> 00:05:36,269 to increase kind of awareness 144 00:05:36,270 --> 00:05:37,589 of this. And 145 00:05:38,610 --> 00:05:41,459 because this platform providers are 146 00:05:41,460 --> 00:05:43,619 in a very modern platform and 147 00:05:43,620 --> 00:05:46,079 you cannot simply disable it 148 00:05:46,080 --> 00:05:48,979 because it's a it's a 149 00:05:48,980 --> 00:05:51,389 it's a genuine part of 150 00:05:51,390 --> 00:05:52,979 the of the system. 151 00:05:52,980 --> 00:05:55,199 So you have to live with it and that 152 00:05:55,200 --> 00:05:57,269 it could be possible security 153 00:05:57,270 --> 00:05:58,829 problems. 154 00:05:58,830 --> 00:06:01,139 And this is, I think, a very 155 00:06:01,140 --> 00:06:03,179 important point that the hardware 156 00:06:03,180 --> 00:06:05,489 engineers are involved and 157 00:06:05,490 --> 00:06:07,289 which means most of them are not the 158 00:06:07,290 --> 00:06:08,879 software engineers. 159 00:06:08,880 --> 00:06:10,959 So if you ever have 160 00:06:10,960 --> 00:06:13,439 have looked to some 161 00:06:13,440 --> 00:06:15,779 bios, assembly codes or 162 00:06:15,780 --> 00:06:18,089 some small embedded system 163 00:06:18,090 --> 00:06:20,519 platforms, you know how clumsy 164 00:06:20,520 --> 00:06:22,649 they are. And this doesn't 165 00:06:22,650 --> 00:06:24,269 help the security much. 166 00:06:25,860 --> 00:06:28,559 And that is kind of 167 00:06:28,560 --> 00:06:30,939 advent of some very special furnival's 168 00:06:30,940 --> 00:06:33,729 which are found on 169 00:06:33,730 --> 00:06:35,909 under which can be loaded 170 00:06:35,910 --> 00:06:38,249 to the current platforms. 171 00:06:38,250 --> 00:06:40,379 Most likely you are you 172 00:06:40,380 --> 00:06:42,629 are aware of the bad USB 173 00:06:42,630 --> 00:06:44,879 stuff, which I think 174 00:06:44,880 --> 00:06:45,779 I have it. 175 00:06:45,780 --> 00:06:48,149 It's not, in fact, in the US before zero 176 00:06:48,150 --> 00:06:51,179 controller, but in the in the client, 177 00:06:51,180 --> 00:06:52,949 in the USB device. 178 00:06:52,950 --> 00:06:55,289 But what the what what you can 179 00:06:55,290 --> 00:06:57,419 also run is that you 180 00:06:57,420 --> 00:06:59,579 can run the Linux 181 00:06:59,580 --> 00:07:02,069 in your hard drive because somebody 182 00:07:02,070 --> 00:07:04,289 with the spritzed name 183 00:07:04,290 --> 00:07:06,479 found out that the hard 184 00:07:06,480 --> 00:07:09,119 drive KPCB contains three processors 185 00:07:09,120 --> 00:07:11,729 and you can run MUMU less Linux 186 00:07:11,730 --> 00:07:14,039 inside your hard drive and also 187 00:07:14,040 --> 00:07:16,409 fix the shadow if 188 00:07:16,410 --> 00:07:18,239 necessary, for example. 189 00:07:18,240 --> 00:07:20,339 So as you can see now, 190 00:07:20,340 --> 00:07:23,249 we live in an age where 191 00:07:23,250 --> 00:07:25,439 those protesters are somehow bubbling 192 00:07:25,440 --> 00:07:27,689 out and 193 00:07:27,690 --> 00:07:29,259 something needs to be done. 194 00:07:30,810 --> 00:07:33,029 Yes, and I was speaking about 195 00:07:33,030 --> 00:07:34,920 the open source, 196 00:07:36,600 --> 00:07:38,489 Fininvest, and I believe there are also 197 00:07:38,490 --> 00:07:40,499 perhaps some closer's fermata. 198 00:07:40,500 --> 00:07:42,779 And here you can choose your right 199 00:07:42,780 --> 00:07:44,849 permutation of 200 00:07:44,850 --> 00:07:45,850 the vendor. 201 00:07:47,100 --> 00:07:49,999 OK, so this was just 202 00:07:50,000 --> 00:07:52,649 the first part of my story. 203 00:07:52,650 --> 00:07:54,809 And the second part 204 00:07:54,810 --> 00:07:56,939 is how it's 205 00:07:56,940 --> 00:07:59,759 about how I went through the SMU 206 00:07:59,760 --> 00:08:02,099 stuff. And as usual, 207 00:08:02,100 --> 00:08:04,529 it begins that people read books 208 00:08:04,530 --> 00:08:06,749 and some, but it's also datasheet. 209 00:08:06,750 --> 00:08:09,269 And if you do that and have a look to 210 00:08:09,270 --> 00:08:11,519 this document, which is very nice, 211 00:08:11,520 --> 00:08:13,679 it describes how most of the stuff, 212 00:08:13,680 --> 00:08:15,149 how the modern amde. 213 00:08:15,150 --> 00:08:16,709 But this is where I think it's called 214 00:08:16,710 --> 00:08:18,809 Amde Bias and Developers 215 00:08:18,810 --> 00:08:19,529 Guide. 216 00:08:19,530 --> 00:08:22,019 And if you have a look 217 00:08:22,020 --> 00:08:24,599 into this document for the very recent 218 00:08:24,600 --> 00:08:27,119 familias, you will find 219 00:08:27,120 --> 00:08:29,249 this quote that there is something 220 00:08:29,250 --> 00:08:31,739 which is called the assistant management, 221 00:08:31,740 --> 00:08:33,979 you name it, and it takes 222 00:08:33,980 --> 00:08:35,759 responsibility for the power of 223 00:08:35,760 --> 00:08:38,099 management and system related tasks. 224 00:08:38,100 --> 00:08:41,058 And the last sentence is quite a 225 00:08:41,059 --> 00:08:43,288 nice it says the SMU 226 00:08:43,289 --> 00:08:45,539 contains a microcontroller to assist. 227 00:08:45,540 --> 00:08:46,540 And 228 00:08:48,210 --> 00:08:50,309 this is the point where I started 229 00:08:50,310 --> 00:08:52,409 to think, let's have a look 230 00:08:52,410 --> 00:08:54,479 how it what is it? 231 00:08:54,480 --> 00:08:57,239 And if I can get some fun, 232 00:08:57,240 --> 00:08:59,489 fun on it. So and because 233 00:08:59,490 --> 00:09:02,119 I like the, uh, 234 00:09:02,120 --> 00:09:04,419 the stuff like cyphers and 235 00:09:04,420 --> 00:09:06,719 so, so thing, it was very ideal 236 00:09:06,720 --> 00:09:07,720 topic for me. 237 00:09:09,120 --> 00:09:11,429 And this thing 238 00:09:11,430 --> 00:09:13,679 is also very special because 239 00:09:13,680 --> 00:09:15,839 it lives in those channels, but it 240 00:09:15,840 --> 00:09:18,419 is the part of the system of ship 241 00:09:18,420 --> 00:09:20,549 and it means in the end that 242 00:09:20,550 --> 00:09:23,519 it lives in the CPU. 243 00:09:23,520 --> 00:09:25,709 And this was the reason why I put 244 00:09:25,710 --> 00:09:28,079 the name Matryoshka processor. 245 00:09:28,080 --> 00:09:30,299 And while 246 00:09:30,300 --> 00:09:32,429 I was preparing my lecture, then I 247 00:09:32,430 --> 00:09:34,319 noticed that the Western 248 00:09:35,520 --> 00:09:37,649 people are not 249 00:09:37,650 --> 00:09:39,809 and they simply don't know what the 250 00:09:39,810 --> 00:09:40,949 matryoshka is. 251 00:09:40,950 --> 00:09:42,480 And so I brought one 252 00:09:44,520 --> 00:09:46,559 to show you also, this is the main CPU 253 00:09:46,560 --> 00:09:48,809 and if you open it, there is a 254 00:09:48,810 --> 00:09:50,309 small one. 255 00:09:50,310 --> 00:09:52,559 And so 256 00:09:53,670 --> 00:09:55,799 but this is not a part of the 257 00:09:55,800 --> 00:09:58,049 Czech culture because 258 00:09:58,050 --> 00:10:00,599 we were the Soviet satellites 259 00:10:00,600 --> 00:10:02,849 some 20 years ago 260 00:10:02,850 --> 00:10:05,009 and there were not other 261 00:10:05,010 --> 00:10:06,209 presents available. 262 00:10:06,210 --> 00:10:08,309 So we kind of have still some 263 00:10:08,310 --> 00:10:09,229 of them. 264 00:10:09,230 --> 00:10:11,359 In our homes, but please 265 00:10:11,360 --> 00:10:13,789 do not buy them in Prague as a tourist 266 00:10:13,790 --> 00:10:15,919 souvenir because they 267 00:10:15,920 --> 00:10:18,019 it's a tourist trap and please don't 268 00:10:18,020 --> 00:10:19,999 do that then. 269 00:10:20,000 --> 00:10:22,609 OK, so 270 00:10:22,610 --> 00:10:23,929 now back to an election. 271 00:10:23,930 --> 00:10:26,779 So what kind of microcontroller 272 00:10:26,780 --> 00:10:27,780 is there? 273 00:10:29,420 --> 00:10:31,759 Of course, nowadays 274 00:10:31,760 --> 00:10:33,889 the Google knows quite a lot 275 00:10:33,890 --> 00:10:35,779 of answers. And if you put this to the 276 00:10:35,780 --> 00:10:38,659 Google, you will get some 277 00:10:38,660 --> 00:10:40,899 more data sheets, which you 278 00:10:40,900 --> 00:10:42,319 we will need later. 279 00:10:42,320 --> 00:10:43,370 But also 280 00:10:45,920 --> 00:10:48,499 you will get something from LinkedIn 281 00:10:48,500 --> 00:10:50,659 and not just this one, but 282 00:10:50,660 --> 00:10:53,119 also a lot of other pages, which 283 00:10:53,120 --> 00:10:55,189 describes a 284 00:10:55,190 --> 00:10:57,679 lot about what the SAMU 285 00:10:57,680 --> 00:10:58,969 is, in fact, doing. 286 00:10:58,970 --> 00:11:01,189 So here I want to read 287 00:11:01,190 --> 00:11:03,889 it at all or at all. 288 00:11:03,890 --> 00:11:05,989 But in fact, as you 289 00:11:05,990 --> 00:11:08,149 can see, it is a lot like this 290 00:11:08,150 --> 00:11:10,069 11 32 processor. 291 00:11:10,070 --> 00:11:12,499 It's doing some dynamic power 292 00:11:12,500 --> 00:11:13,669 stuff. 293 00:11:13,670 --> 00:11:16,369 And this guy apparently 294 00:11:16,370 --> 00:11:18,709 implemented the adaptive 295 00:11:18,710 --> 00:11:21,409 algorithm to deal with the 296 00:11:21,410 --> 00:11:23,449 power management. But please don't blame 297 00:11:23,450 --> 00:11:25,399 blame this one, because there that is 298 00:11:25,400 --> 00:11:28,699 many more on LinkedIn, especially 299 00:11:28,700 --> 00:11:30,919 for the Amde employees and other 300 00:11:30,920 --> 00:11:31,920 employees. 301 00:11:32,780 --> 00:11:34,879 OK, so if 302 00:11:34,880 --> 00:11:37,159 you know that this is like 303 00:11:37,160 --> 00:11:39,259 this, Michael, 11 thirty two, 304 00:11:39,260 --> 00:11:41,329 then it 305 00:11:41,330 --> 00:11:43,369 is quite a short introduction. 306 00:11:43,370 --> 00:11:45,679 So it is I'd 307 00:11:45,680 --> 00:11:47,179 say open car processor. 308 00:11:47,180 --> 00:11:49,249 You can get SDK for 309 00:11:49,250 --> 00:11:51,709 it or you can download it, 310 00:11:51,710 --> 00:11:53,869 or you can compile your own toolchain 311 00:11:53,870 --> 00:11:56,089 and you 312 00:11:56,090 --> 00:11:58,099 can get also the reference manual. 313 00:11:58,100 --> 00:12:00,619 So this is in general a very good start 314 00:12:00,620 --> 00:12:02,269 to think about this. 315 00:12:03,350 --> 00:12:05,869 And the 11 32 processor 316 00:12:05,870 --> 00:12:07,789 really likes the number thirty two 317 00:12:07,790 --> 00:12:09,829 because it's a little bit processor of 318 00:12:09,830 --> 00:12:12,349 it, 32 bit instruction size. 319 00:12:12,350 --> 00:12:14,659 And you can guess how many registers 320 00:12:14,660 --> 00:12:17,029 inside processor it has. 321 00:12:17,030 --> 00:12:19,069 Yes, it's thirty two. 322 00:12:19,070 --> 00:12:21,739 And because 323 00:12:21,740 --> 00:12:24,289 in the next part of the lecture 324 00:12:24,290 --> 00:12:26,089 I will need this information. 325 00:12:26,090 --> 00:12:27,090 So just quickly 326 00:12:28,520 --> 00:12:30,679 we have the R zero which should hold 327 00:12:30,680 --> 00:12:32,120 the zero and 328 00:12:33,230 --> 00:12:35,449 the rest is quite obvious. 329 00:12:35,450 --> 00:12:37,429 This architecture is not like exciting. 330 00:12:37,430 --> 00:12:40,279 Six It uses link register 331 00:12:40,280 --> 00:12:42,439 to save the return. 332 00:12:42,440 --> 00:12:44,450 I need an address from the function 333 00:12:47,000 --> 00:12:48,019 s and 334 00:12:49,100 --> 00:12:50,959 so so far we know what kind of 335 00:12:50,960 --> 00:12:53,269 architecture we have, but we don't know 336 00:12:53,270 --> 00:12:55,219 where to look for the firmware. 337 00:12:55,220 --> 00:12:57,499 So the hard way is 338 00:12:57,500 --> 00:13:00,799 of course, this old the flash 339 00:13:00,800 --> 00:13:03,349 of the flash chip, which is on the 340 00:13:03,350 --> 00:13:04,580 to read it out in some 341 00:13:05,780 --> 00:13:08,059 program and 342 00:13:08,060 --> 00:13:10,609 look, if there is not the firmware, but 343 00:13:10,610 --> 00:13:13,509 in fact there is an easy way because 344 00:13:13,510 --> 00:13:15,949 on these platforms, 345 00:13:15,950 --> 00:13:18,319 the the BIOS image is a complete 346 00:13:18,320 --> 00:13:19,879 image of the flash. 347 00:13:19,880 --> 00:13:22,399 So you can have a look for the film 348 00:13:22,400 --> 00:13:23,989 in this in this image. 349 00:13:23,990 --> 00:13:25,789 So you don't need to do this ordering 350 00:13:25,790 --> 00:13:27,679 stuff and reading out. 351 00:13:27,680 --> 00:13:29,749 And I put some 352 00:13:29,750 --> 00:13:32,749 glue here that the film 353 00:13:32,750 --> 00:13:34,999 is part of something which is called 354 00:13:35,000 --> 00:13:37,219 just this is 355 00:13:37,220 --> 00:13:40,039 Amde platform initialization 356 00:13:40,040 --> 00:13:42,139 blowoff, which initialize 357 00:13:42,140 --> 00:13:44,269 the the every aspect of 358 00:13:44,270 --> 00:13:45,829 the and the platform. 359 00:13:45,830 --> 00:13:48,079 And this is included from Amde into 360 00:13:48,080 --> 00:13:50,629 the vendor bios and it is called 361 00:13:50,630 --> 00:13:52,939 during the BIOS execution to perform 362 00:13:52,940 --> 00:13:54,259 the initialization steps. 363 00:13:56,090 --> 00:13:58,369 And to get the 364 00:13:58,370 --> 00:14:00,469 film where you can download virtually 365 00:14:00,470 --> 00:14:01,609 anybody else 366 00:14:02,660 --> 00:14:04,579 from the from the Net, for example, for 367 00:14:04,580 --> 00:14:06,799 the film to motherboard, which I 368 00:14:06,800 --> 00:14:07,800 was using 369 00:14:08,900 --> 00:14:11,179 for my experiments, and 370 00:14:11,180 --> 00:14:13,339 now because I already told you it's 371 00:14:13,340 --> 00:14:15,469 in the biosynthesis so you can try 372 00:14:15,470 --> 00:14:17,749 the text search and 373 00:14:17,750 --> 00:14:20,109 the search is for SMU. 374 00:14:21,470 --> 00:14:23,629 And if you do that, you will 375 00:14:23,630 --> 00:14:26,059 find something like this. 376 00:14:26,060 --> 00:14:28,219 If you look to the slide that 377 00:14:28,220 --> 00:14:31,159 is underscore SMU, underscore SMU, 378 00:14:31,160 --> 00:14:33,529 and this thing 379 00:14:33,530 --> 00:14:35,809 is most likely just an encore to 380 00:14:35,810 --> 00:14:38,059 allow other perhaps AMD 381 00:14:38,060 --> 00:14:40,069 people to find it more easily inside the 382 00:14:40,070 --> 00:14:42,169 blob. I have no other explanation 383 00:14:42,170 --> 00:14:43,189 of this. 384 00:14:43,190 --> 00:14:45,349 Then the bullet text 385 00:14:45,350 --> 00:14:47,459 is actual firmware, 386 00:14:47,460 --> 00:14:50,419 which is for the SMU 387 00:14:50,420 --> 00:14:52,879 SMU part, and 388 00:14:52,880 --> 00:14:54,949 you have many famous 389 00:14:54,950 --> 00:14:56,839 many, many like three or four. 390 00:14:56,840 --> 00:14:59,329 And in it just because 391 00:14:59,330 --> 00:15:01,849 one, it just supports different 392 00:15:01,850 --> 00:15:04,549 CPUs like Trinity or Ridgeland 393 00:15:04,550 --> 00:15:06,859 and also others like 394 00:15:06,860 --> 00:15:07,860 you. So for example. 395 00:15:09,840 --> 00:15:12,209 So the next thing is that 396 00:15:12,210 --> 00:15:14,819 we are on the communication Congress, so 397 00:15:14,820 --> 00:15:16,889 we have to communicate also with 398 00:15:16,890 --> 00:15:19,619 this process and 399 00:15:19,620 --> 00:15:22,559 we would like to communicate from the 86 400 00:15:22,560 --> 00:15:24,749 process. So and this 401 00:15:24,750 --> 00:15:27,239 is about the document I mentioned 402 00:15:27,240 --> 00:15:30,299 is again, helping because 403 00:15:30,300 --> 00:15:32,219 it is described and documented in the 404 00:15:32,220 --> 00:15:34,259 public documentation that there are these 405 00:15:34,260 --> 00:15:36,179 two registries, which you can use as kind 406 00:15:36,180 --> 00:15:38,519 of a gateway to this 407 00:15:38,520 --> 00:15:39,880 other space of this process. 408 00:15:41,680 --> 00:15:44,799 And here, let me take a little detour 409 00:15:44,800 --> 00:15:47,289 that if it is not documented, 410 00:15:47,290 --> 00:15:49,029 it doesn't mean it doesn't exist, it's 411 00:15:49,030 --> 00:15:50,709 just a delay. 412 00:15:50,710 --> 00:15:53,349 And on the other hand, I do appreciate 413 00:15:53,350 --> 00:15:55,449 that AMD is putting a lot 414 00:15:55,450 --> 00:15:57,789 of effort to have documented 415 00:15:57,790 --> 00:15:59,769 platforms way more than the Entel. 416 00:15:59,770 --> 00:16:01,869 So please try to support them 417 00:16:01,870 --> 00:16:02,870 at least like this. 418 00:16:04,090 --> 00:16:06,189 So let's write 419 00:16:06,190 --> 00:16:08,109 some simple utility to them. 420 00:16:08,110 --> 00:16:09,789 The address space of the System 421 00:16:09,790 --> 00:16:11,859 Management Unit from running system 422 00:16:11,860 --> 00:16:13,659 I use to Linux. 423 00:16:13,660 --> 00:16:15,909 So if you do that, I 424 00:16:15,910 --> 00:16:17,080 know it's rather small, but 425 00:16:18,400 --> 00:16:19,569 I will fix it later. 426 00:16:19,570 --> 00:16:21,819 If you do that, you will see that is 427 00:16:21,820 --> 00:16:23,319 kind of strange data. 428 00:16:23,320 --> 00:16:25,629 It's repeating fifty five, 429 00:16:25,630 --> 00:16:27,849 fifty five and again, 430 00:16:27,850 --> 00:16:30,519 and this is for the first 431 00:16:30,520 --> 00:16:32,439 64 kilobytes. 432 00:16:32,440 --> 00:16:34,539 So then it's getting a little 433 00:16:34,540 --> 00:16:36,519 bit better because you will immediately 434 00:16:36,520 --> 00:16:38,829 see that at the offset 435 00:16:38,830 --> 00:16:40,959 of 64 kilobytes, it starts 436 00:16:40,960 --> 00:16:43,209 to be the same as you have found 437 00:16:43,210 --> 00:16:45,129 already in the BIOS. 438 00:16:45,130 --> 00:16:47,229 It makes you you or I 439 00:16:47,230 --> 00:16:48,579 analyzed. 440 00:16:48,580 --> 00:16:50,679 But what is strange is that after 441 00:16:50,680 --> 00:16:53,279 the five hundred 442 00:16:53,280 --> 00:16:56,199 the three 256 bytes 443 00:16:56,200 --> 00:16:58,659 data is again this fifty five 444 00:16:58,660 --> 00:17:00,939 fifty five a, 445 00:17:00,940 --> 00:17:02,769 which means that the runtime for where 446 00:17:02,770 --> 00:17:04,879 it's most likely hidden from you 447 00:17:04,880 --> 00:17:07,598 so you cannot modify it and then 448 00:17:07,599 --> 00:17:10,358 some random garbage follows. 449 00:17:10,359 --> 00:17:12,279 So this is how it looks. 450 00:17:12,280 --> 00:17:14,499 If you dump froster 64 451 00:17:14,500 --> 00:17:15,500 kilobytes segment, 452 00:17:17,470 --> 00:17:19,509 I put it into the nice table. 453 00:17:19,510 --> 00:17:21,759 So it is more, more 454 00:17:21,760 --> 00:17:22,760 easily 455 00:17:23,890 --> 00:17:24,909 understandable. 456 00:17:27,500 --> 00:17:30,319 We will look now to the 457 00:17:30,320 --> 00:17:32,029 to the header and then we can go back to 458 00:17:32,030 --> 00:17:34,159 them and to the Finbar. 459 00:17:36,830 --> 00:17:39,019 OK. And I need to drink 460 00:17:39,020 --> 00:17:40,020 some water because. 461 00:17:43,830 --> 00:17:46,049 OK, so this 462 00:17:46,050 --> 00:17:47,939 is quite easy stuff in the film about 463 00:17:47,940 --> 00:17:50,249 Hadra, you will find what you think it 464 00:17:50,250 --> 00:17:52,229 should be, that you will find out that 465 00:17:52,230 --> 00:17:54,359 there is a version number 466 00:17:54,360 --> 00:17:55,859 that is the length of the headroom. 467 00:17:55,860 --> 00:17:58,169 There is the length of the 468 00:17:58,170 --> 00:18:00,419 of the film where there 469 00:18:00,420 --> 00:18:02,279 is also something which looks like entry 470 00:18:02,280 --> 00:18:05,309 point and that see, 471 00:18:05,310 --> 00:18:07,640 and then the offset 472 00:18:09,150 --> 00:18:11,249 is certain in the hexadecimal. 473 00:18:11,250 --> 00:18:13,319 There is something which looks like 474 00:18:13,320 --> 00:18:15,149 a checksum. It looks like very random 475 00:18:15,150 --> 00:18:16,079 data. 476 00:18:16,080 --> 00:18:18,359 And in the end of the header there is 477 00:18:18,360 --> 00:18:20,429 five five five five a 478 00:18:20,430 --> 00:18:23,519 signature. And then it continues 479 00:18:23,520 --> 00:18:25,259 with some Finbar, 480 00:18:27,120 --> 00:18:28,409 which we don't know yet. 481 00:18:28,410 --> 00:18:29,970 It could be the first construction. 482 00:18:32,560 --> 00:18:34,059 So let's have a look 483 00:18:35,350 --> 00:18:37,689 at the inspection stuff, so 484 00:18:37,690 --> 00:18:39,939 as I said, it immediately follows 485 00:18:39,940 --> 00:18:40,869 the header. 486 00:18:40,870 --> 00:18:43,059 And if you if you 487 00:18:43,060 --> 00:18:45,579 disassemble the this instruction, 488 00:18:45,580 --> 00:18:48,039 this zero zero zero 489 00:18:48,040 --> 00:18:50,229 like three zeros and ninety eight at the 490 00:18:50,230 --> 00:18:52,429 end and the second one is the same. 491 00:18:52,430 --> 00:18:54,459 So you will get this instruction which is 492 00:18:54,460 --> 00:18:55,529 quite unhappy 493 00:18:56,740 --> 00:18:59,079 and it is garbage, but you 494 00:18:59,080 --> 00:19:01,389 have to try something else and it's 495 00:19:01,390 --> 00:19:03,879 like big. And then for example, 496 00:19:03,880 --> 00:19:05,949 and if you do that you will 497 00:19:05,950 --> 00:19:08,169 get something which is very promising 498 00:19:08,170 --> 00:19:10,239 because as I have shown you, it 499 00:19:10,240 --> 00:19:12,309 is expected that in the register our 500 00:19:12,310 --> 00:19:14,319 zero is in fact a zero. 501 00:19:14,320 --> 00:19:16,299 So it looks good. 502 00:19:17,380 --> 00:19:19,449 And is there 503 00:19:19,450 --> 00:19:21,519 some one which can 504 00:19:21,520 --> 00:19:24,040 do something with the radar software? 505 00:19:26,950 --> 00:19:29,349 Oh, yes, please, I will 506 00:19:29,350 --> 00:19:31,869 need some kickstarts to this 507 00:19:31,870 --> 00:19:34,269 because, as you will see, 508 00:19:34,270 --> 00:19:36,669 I did it in very 509 00:19:36,670 --> 00:19:38,889 own way, so I decided 510 00:19:38,890 --> 00:19:40,779 I will convert the film over to the Elf 511 00:19:40,780 --> 00:19:42,939 file. And I did it with the 512 00:19:42,940 --> 00:19:44,139 object copy like this. 513 00:19:44,140 --> 00:19:46,509 So I created one section 514 00:19:46,510 --> 00:19:47,919 which I marked. 515 00:19:47,920 --> 00:19:49,539 It is executable. 516 00:19:49,540 --> 00:19:51,220 And then I used Object Dump 517 00:19:52,450 --> 00:19:54,519 to dump it back. And if I have done 518 00:19:54,520 --> 00:19:56,799 it, so I got this 519 00:19:56,800 --> 00:19:58,989 first step. So here, as you can see, 520 00:19:58,990 --> 00:20:00,069 it's just zeroth. 521 00:20:00,070 --> 00:20:02,259 I don't know why waste time but this 522 00:20:02,260 --> 00:20:04,299 so they are zero. 523 00:20:04,300 --> 00:20:06,489 Then it disables, interrupts and stops 524 00:20:06,490 --> 00:20:07,930 the exception and less 525 00:20:09,640 --> 00:20:11,789 and then it sets 526 00:20:11,790 --> 00:20:13,989 another other place in the routine set 527 00:20:13,990 --> 00:20:16,419 ups, the stakes and zeros, the VSS 528 00:20:16,420 --> 00:20:19,329 and it's classic CRT zero startup. 529 00:20:19,330 --> 00:20:21,429 So I decided 530 00:20:21,430 --> 00:20:23,859 I will put back some more symbols 531 00:20:23,860 --> 00:20:25,410 so I can use nicer object 532 00:20:26,760 --> 00:20:28,849 and exception and 533 00:20:28,850 --> 00:20:31,159 letters were described in the 534 00:20:31,160 --> 00:20:33,399 11 32 manual so I 535 00:20:33,400 --> 00:20:35,499 could add more data to my linker 536 00:20:35,500 --> 00:20:37,389 script and identify the exception in 537 00:20:37,390 --> 00:20:38,390 letters of the film. But. 538 00:20:39,770 --> 00:20:43,009 And if you look to the functions, 539 00:20:43,010 --> 00:20:45,829 they look pretty, pretty standard. 540 00:20:45,830 --> 00:20:47,699 They have some prolog and epilog, so I 541 00:20:47,700 --> 00:20:49,339 just skip this for now. 542 00:20:50,870 --> 00:20:52,969 And here, I think 543 00:20:52,970 --> 00:20:54,220 it was a great idea, 544 00:20:55,250 --> 00:20:57,409 and I said 545 00:20:57,410 --> 00:20:59,629 that like this as the SDK and I looked 546 00:20:59,630 --> 00:21:01,949 into the SDK and found out that 547 00:21:01,950 --> 00:21:03,109 the year zero 548 00:21:04,250 --> 00:21:06,289 s and some C functions which were 549 00:21:06,290 --> 00:21:09,499 handling the entraps and 550 00:21:09,500 --> 00:21:11,719 entraps routine's allocation 551 00:21:11,720 --> 00:21:13,879 and the registration and so on. 552 00:21:13,880 --> 00:21:16,839 And I also checked the 553 00:21:16,840 --> 00:21:18,949 the binary image 554 00:21:18,950 --> 00:21:21,499 of the example of each letter is included 555 00:21:21,500 --> 00:21:23,449 in the in the SDK. 556 00:21:23,450 --> 00:21:25,609 And I found out that and the in 557 00:21:25,610 --> 00:21:27,710 fact, uses this also. 558 00:21:29,330 --> 00:21:31,769 So I was able to feel my 559 00:21:31,770 --> 00:21:34,609 escaped again with some more functions. 560 00:21:34,610 --> 00:21:36,799 It's it's not exactly the same because 561 00:21:36,800 --> 00:21:39,049 of the different VXI most likely, 562 00:21:39,050 --> 00:21:40,249 but it's very similar. 563 00:21:41,840 --> 00:21:44,269 OK, so let's, 564 00:21:44,270 --> 00:21:46,549 let's see how to communicate with 565 00:21:46,550 --> 00:21:48,919 the media firmware from uh 566 00:21:48,920 --> 00:21:50,899 from the operating system or from the 567 00:21:50,900 --> 00:21:52,039 BIOS. 568 00:21:52,040 --> 00:21:54,169 Uh, you can read in the manual that it 569 00:21:54,170 --> 00:21:55,939 is possible to invoke something which is 570 00:21:55,940 --> 00:21:58,729 called SMU Film Request 571 00:21:58,730 --> 00:22:01,369 and this is documented 572 00:22:01,370 --> 00:22:03,619 again and it 573 00:22:03,620 --> 00:22:05,389 will just write some request. 574 00:22:05,390 --> 00:22:07,309 No to the registrar. 575 00:22:07,310 --> 00:22:09,379 Then you will just go 576 00:22:09,380 --> 00:22:11,599 to the interruptive inside the 577 00:22:11,600 --> 00:22:14,359 register and 578 00:22:14,360 --> 00:22:16,519 the SMU will get the draft 579 00:22:16,520 --> 00:22:18,949 and proceed 580 00:22:18,950 --> 00:22:21,049 with the with this kind of 581 00:22:21,050 --> 00:22:23,119 interrupt and then 582 00:22:23,120 --> 00:22:26,179 also return if the entrapments 583 00:22:26,180 --> 00:22:28,519 already 17 was successful or not. 584 00:22:28,520 --> 00:22:29,520 So. 585 00:22:30,880 --> 00:22:33,039 In the detail, this is what I 586 00:22:33,040 --> 00:22:35,199 found out is that most of 587 00:22:35,200 --> 00:22:37,959 the stuff is power management related. 588 00:22:37,960 --> 00:22:40,089 It's something which is called budget a 589 00:22:40,090 --> 00:22:42,879 of power management, and that 590 00:22:42,880 --> 00:22:45,309 the custom registrars are usually located 591 00:22:45,310 --> 00:22:48,129 at the end of the second 592 00:22:48,130 --> 00:22:50,369 64 kilobytes segment. 593 00:22:52,240 --> 00:22:54,369 And this is not 594 00:22:54,370 --> 00:22:57,429 only this, there were also some 595 00:22:57,430 --> 00:22:59,829 functions or some service functions 596 00:22:59,830 --> 00:23:01,839 which were quite easy to understand. 597 00:23:01,840 --> 00:23:04,179 There were some from for the 598 00:23:04,180 --> 00:23:06,099 flashing of the data issues and 599 00:23:06,100 --> 00:23:07,100 instructions. 600 00:23:07,630 --> 00:23:09,659 There was also a very special request, 601 00:23:09,660 --> 00:23:12,039 which I nickname Pink 602 00:23:12,040 --> 00:23:14,379 Request, because it just incremented 603 00:23:14,380 --> 00:23:16,719 by one register and this was 604 00:23:16,720 --> 00:23:18,609 all what it was in fact doing 605 00:23:19,930 --> 00:23:21,029 so. 606 00:23:21,030 --> 00:23:23,349 Now we know quite a lot about 607 00:23:23,350 --> 00:23:25,849 this as a new and 608 00:23:25,850 --> 00:23:28,059 no need to ask some 609 00:23:28,060 --> 00:23:29,409 questions. 610 00:23:29,410 --> 00:23:31,509 So if it is possible to run 611 00:23:31,510 --> 00:23:33,729 some program, our own 612 00:23:33,730 --> 00:23:35,829 program on it and with all of 613 00:23:35,830 --> 00:23:37,149 the problems. 614 00:23:37,150 --> 00:23:39,399 So the obvious problems 615 00:23:39,400 --> 00:23:42,399 could be that there is this protection 616 00:23:42,400 --> 00:23:44,979 thing which doesn't, 617 00:23:44,980 --> 00:23:47,469 which means that the code is protected 618 00:23:47,470 --> 00:23:49,719 from the runtime modification. 619 00:23:49,720 --> 00:23:51,639 Plus there is something which looks like 620 00:23:51,640 --> 00:23:52,989 the checksum. 621 00:23:52,990 --> 00:23:55,059 Plus, if we would modify the bios, 622 00:23:55,060 --> 00:23:56,919 it would mean that the bios on its own 623 00:23:56,920 --> 00:23:58,839 has some kind of checksums. 624 00:23:58,840 --> 00:24:01,139 So this 625 00:24:01,140 --> 00:24:03,219 this is the problem we need somehow to 626 00:24:03,220 --> 00:24:05,439 solve. So this is, again, 627 00:24:05,440 --> 00:24:07,599 just from the film about as I was 628 00:24:07,600 --> 00:24:11,079 telling in in the beginning. 629 00:24:11,080 --> 00:24:13,419 So there 630 00:24:13,420 --> 00:24:15,969 is this 20 bytes or something 631 00:24:15,970 --> 00:24:18,369 which still needs to find out. 632 00:24:18,370 --> 00:24:20,559 And this is 633 00:24:20,560 --> 00:24:22,029 in fact one hundred sixty bits. 634 00:24:23,920 --> 00:24:25,269 So. 635 00:24:25,270 --> 00:24:27,489 Well, this could be yes, 636 00:24:27,490 --> 00:24:29,859 that could be h a one. 637 00:24:31,270 --> 00:24:33,729 So I tried really hard with 638 00:24:33,730 --> 00:24:36,429 many permutations like computed 639 00:24:36,430 --> 00:24:38,689 from the firmware without 640 00:24:38,690 --> 00:24:40,479 the header, with the header a little bit 641 00:24:40,480 --> 00:24:42,579 and then with zeros instead 642 00:24:42,580 --> 00:24:44,019 of the places where it is. 643 00:24:44,020 --> 00:24:46,389 And I simply felt 644 00:24:46,390 --> 00:24:48,609 I didn't, I didn't 645 00:24:48,610 --> 00:24:49,659 find out how to do that. 646 00:24:51,450 --> 00:24:53,729 Yes, and this is what I said already. 647 00:24:53,730 --> 00:24:56,159 So the second thing is runtime 648 00:24:56,160 --> 00:24:58,019 code injection. 649 00:24:58,020 --> 00:25:00,089 So how to do 650 00:25:00,090 --> 00:25:01,019 that? 651 00:25:01,020 --> 00:25:03,149 We have this problem that the code and 652 00:25:03,150 --> 00:25:04,859 data segment is hidden. 653 00:25:04,860 --> 00:25:07,139 And, uh, and so 654 00:25:07,140 --> 00:25:09,329 it looks like it's 655 00:25:09,330 --> 00:25:10,919 protected. 656 00:25:10,920 --> 00:25:13,289 So but there are also ranges 657 00:25:13,290 --> 00:25:14,999 which are not protected. 658 00:25:15,000 --> 00:25:17,249 And this was seen 659 00:25:17,250 --> 00:25:19,739 in the big dump I showed you 660 00:25:19,740 --> 00:25:21,089 in the beginning. 661 00:25:21,090 --> 00:25:23,729 And let's examine 662 00:25:23,730 --> 00:25:26,699 this further and see if 663 00:25:26,700 --> 00:25:28,859 if you can write there something. 664 00:25:28,860 --> 00:25:30,929 So in this light, you'll 665 00:25:30,930 --> 00:25:31,930 see that 666 00:25:33,030 --> 00:25:35,369 there is this five, five and 667 00:25:35,370 --> 00:25:36,539 so on again. 668 00:25:36,540 --> 00:25:38,789 And at the of the DC 669 00:25:38,790 --> 00:25:41,039 50, it stops 670 00:25:41,040 --> 00:25:42,930 and there is some random stuff. 671 00:25:44,410 --> 00:25:46,509 And the headline, 672 00:25:46,510 --> 00:25:48,849 as I have told you, already, is also 673 00:25:48,850 --> 00:25:50,949 visible. So these are 674 00:25:50,950 --> 00:25:53,499 these two regions and in the end 675 00:25:53,500 --> 00:25:55,959 of the of the of the 64 676 00:25:55,960 --> 00:25:57,849 kilobyte segment, there is this 677 00:25:57,850 --> 00:25:59,979 communication area with some random 678 00:25:59,980 --> 00:26:01,299 garbage. 679 00:26:01,300 --> 00:26:02,470 So if you look 680 00:26:03,550 --> 00:26:07,059 to the data on which are 681 00:26:07,060 --> 00:26:09,729 which are to be seen in 682 00:26:09,730 --> 00:26:11,949 right after the protection and 683 00:26:11,950 --> 00:26:13,689 it looks like something like this and 684 00:26:13,690 --> 00:26:15,789 there are some 685 00:26:15,790 --> 00:26:18,009 there is some strange things happening 686 00:26:18,010 --> 00:26:18,909 here. 687 00:26:18,910 --> 00:26:21,159 So they said the data matches some 688 00:26:21,160 --> 00:26:23,319 functions in 689 00:26:23,320 --> 00:26:25,429 the film, which I need 690 00:26:25,430 --> 00:26:26,430 to tell. 691 00:26:27,310 --> 00:26:28,239 What is it? 692 00:26:28,240 --> 00:26:29,739 So I don't know. 693 00:26:29,740 --> 00:26:32,589 And what is 694 00:26:32,590 --> 00:26:34,689 more strange is that this part 695 00:26:34,690 --> 00:26:36,819 is still part 696 00:26:36,820 --> 00:26:37,839 of the BIOS image. 697 00:26:37,840 --> 00:26:40,239 So somehow 698 00:26:40,240 --> 00:26:42,549 something went wrong with that 699 00:26:44,200 --> 00:26:45,740 even more than terrible. 700 00:26:47,980 --> 00:26:51,369 So there is a first problem that 701 00:26:51,370 --> 00:26:54,099 there is some problem that the 702 00:26:54,100 --> 00:26:57,639 256 bytes 703 00:26:57,640 --> 00:27:00,129 is missing in the protection 704 00:27:00,130 --> 00:27:02,589 and there is also 705 00:27:02,590 --> 00:27:03,639 the same length. 706 00:27:03,640 --> 00:27:05,889 So it looks like it's 707 00:27:05,890 --> 00:27:08,259 kind of problem that 708 00:27:08,260 --> 00:27:10,629 this this part is not not covered 709 00:27:10,630 --> 00:27:12,969 because someone forgot to add it 710 00:27:12,970 --> 00:27:13,970 over there. 711 00:27:16,030 --> 00:27:18,159 So because of this, we 712 00:27:18,160 --> 00:27:20,619 need to ask more, can we change 713 00:27:20,620 --> 00:27:23,349 this of the daytime during runtime 714 00:27:23,350 --> 00:27:24,609 and answer is yes. 715 00:27:26,140 --> 00:27:28,929 And is there something 716 00:27:28,930 --> 00:27:31,689 which invokes this function pointer 717 00:27:31,690 --> 00:27:32,769 from the of the data? 718 00:27:32,770 --> 00:27:35,109 And answer is also yes. 719 00:27:35,110 --> 00:27:37,339 In fact, there is I 720 00:27:37,340 --> 00:27:38,439 see this 721 00:27:39,490 --> 00:27:41,929 there is this this picture which handles 722 00:27:41,930 --> 00:27:44,589 various interest requests from the SMU. 723 00:27:44,590 --> 00:27:46,679 And one of the requests 724 00:27:46,680 --> 00:27:48,909 is also which is present 725 00:27:48,910 --> 00:27:51,519 this SMU request function handler, 726 00:27:51,520 --> 00:27:53,109 which gets involved. 727 00:27:53,110 --> 00:27:55,209 So now we can 728 00:27:55,210 --> 00:27:57,189 think about how to run the program. 729 00:27:58,940 --> 00:28:01,039 So I took 730 00:28:01,040 --> 00:28:03,169 the obvious approach to allow this 731 00:28:03,170 --> 00:28:05,359 to a new start over the 732 00:28:05,360 --> 00:28:07,369 second 64 kilobytes segment, 733 00:28:08,690 --> 00:28:10,759 I put that to the quotes 734 00:28:10,760 --> 00:28:12,559 because I don't know if it was really 735 00:28:12,560 --> 00:28:15,199 unused place or I was just lucky. 736 00:28:15,200 --> 00:28:17,669 So we can modify the pointer 737 00:28:17,670 --> 00:28:20,209 in the offset data and 738 00:28:22,760 --> 00:28:24,079 then when the finished. 739 00:28:26,350 --> 00:28:28,479 We return the control to 740 00:28:28,480 --> 00:28:30,129 the original function to handle the 741 00:28:30,130 --> 00:28:32,409 request and also the Iraqi request, 742 00:28:32,410 --> 00:28:33,999 so it's cleanly done 743 00:28:35,200 --> 00:28:36,409 and violated. 744 00:28:36,410 --> 00:28:39,009 I also included here the 745 00:28:39,010 --> 00:28:41,899 this is actually the function which 746 00:28:41,900 --> 00:28:44,559 which is invoked 747 00:28:44,560 --> 00:28:45,939 for the SMU request. 748 00:28:48,130 --> 00:28:50,769 And now we can also 749 00:28:50,770 --> 00:28:51,799 go through this one. 750 00:28:53,110 --> 00:28:55,689 So first, it acknowledges 751 00:28:55,690 --> 00:28:58,029 this SMU request interrupter, 752 00:28:58,030 --> 00:29:00,760 which came because of this register 753 00:29:03,100 --> 00:29:05,559 with the request number, which was stored 754 00:29:05,560 --> 00:29:08,379 in some other register then myself 755 00:29:08,380 --> 00:29:11,679 and shifted, and then 756 00:29:11,680 --> 00:29:13,989 it loads the base of the function 757 00:29:13,990 --> 00:29:15,909 pointer table, which is different from 758 00:29:15,910 --> 00:29:18,039 previous. This is another function 759 00:29:18,040 --> 00:29:20,229 and allow this to go to the 760 00:29:20,230 --> 00:29:22,719 registrar R2 and 761 00:29:22,720 --> 00:29:23,829 then call it. 762 00:29:23,830 --> 00:29:26,589 So is there anyone who sees 763 00:29:26,590 --> 00:29:27,640 already the problem? 764 00:29:30,470 --> 00:29:32,690 No. OK, so. 765 00:29:34,170 --> 00:29:35,309 I give you more time. 766 00:29:38,700 --> 00:29:40,829 OK, so so there is 767 00:29:40,830 --> 00:29:42,420 no check for the bounce, so 768 00:29:43,980 --> 00:29:46,259 in fact, it means that you can 769 00:29:46,260 --> 00:29:48,479 run something which is not 770 00:29:48,480 --> 00:29:50,669 in the in the array 771 00:29:50,670 --> 00:29:51,670 for the pointers. 772 00:29:52,830 --> 00:29:55,229 And this is bad. 773 00:29:55,230 --> 00:29:57,329 So something 774 00:29:57,330 --> 00:29:58,469 went wrong again. 775 00:29:59,680 --> 00:30:02,969 Um, because we control this 776 00:30:02,970 --> 00:30:05,199 this 15 base value, which we are 777 00:30:05,200 --> 00:30:07,069 passing through the request to this 778 00:30:07,070 --> 00:30:09,549 function, then 779 00:30:09,550 --> 00:30:11,979 the offsets where the pointer 780 00:30:11,980 --> 00:30:13,869 stable starts is also known. 781 00:30:13,870 --> 00:30:16,209 So we can simply 782 00:30:16,210 --> 00:30:18,489 simply load to some other 783 00:30:18,490 --> 00:30:20,739 as a pointer to our 784 00:30:20,740 --> 00:30:22,539 function, which we retrieved, which we 785 00:30:22,540 --> 00:30:23,619 can load there. 786 00:30:23,620 --> 00:30:25,879 And if we call the 787 00:30:25,880 --> 00:30:28,029 SMU request with the 788 00:30:28,030 --> 00:30:30,279 right number, which matches, 789 00:30:30,280 --> 00:30:32,439 then we can again execute 790 00:30:32,440 --> 00:30:33,440 our own code. 791 00:30:36,350 --> 00:30:38,359 Yes, including governor injected 792 00:30:38,360 --> 00:30:39,799 functions, the. 793 00:30:44,680 --> 00:30:45,680 So 794 00:30:47,080 --> 00:30:48,969 in this case, it means that we can 795 00:30:48,970 --> 00:30:51,229 execute our own code inside 796 00:30:51,230 --> 00:30:53,379 the SMU, but 797 00:30:53,380 --> 00:30:55,869 there are still some regions which 798 00:30:55,870 --> 00:30:58,059 are not available 799 00:30:58,060 --> 00:31:00,279 to us and I was interested 800 00:31:00,280 --> 00:31:01,569 what I can find there. 801 00:31:01,570 --> 00:31:03,909 So in this case, it is the 802 00:31:03,910 --> 00:31:06,729 region for the 803 00:31:06,730 --> 00:31:08,799 for the first 64 804 00:31:08,800 --> 00:31:09,800 kilobytes. 805 00:31:18,940 --> 00:31:20,109 Yes, so. 806 00:31:22,390 --> 00:31:24,459 Everything begins like, but I think 807 00:31:24,460 --> 00:31:27,039 a program, so let's start and some 808 00:31:27,040 --> 00:31:28,719 and this one will be quite easy. 809 00:31:28,720 --> 00:31:31,029 We will use the methods I told 810 00:31:31,030 --> 00:31:33,099 you right now to 811 00:31:33,100 --> 00:31:35,439 actually program some kind 812 00:31:35,440 --> 00:31:36,669 of function. 813 00:31:36,670 --> 00:31:38,859 Sure. Which allows us to copy four 814 00:31:38,860 --> 00:31:41,019 bytes from any place inside the 815 00:31:41,020 --> 00:31:43,149 firmware and copy it 816 00:31:44,290 --> 00:31:46,419 to to someplace which is not protected, 817 00:31:46,420 --> 00:31:47,769 which we can read. 818 00:31:47,770 --> 00:31:49,959 And we can use this number 819 00:31:49,960 --> 00:31:51,309 as many times as we like. 820 00:31:51,310 --> 00:31:54,339 And it means we can dump the first 64 821 00:31:54,340 --> 00:31:56,219 kilobytes to see what is there. 822 00:31:58,020 --> 00:32:00,809 Yes, so let's have a look. 823 00:32:00,810 --> 00:32:02,269 What is there? 824 00:32:02,270 --> 00:32:04,559 I do think it's most likely 825 00:32:04,560 --> 00:32:05,519 around. 826 00:32:05,520 --> 00:32:07,589 I like my processor and 827 00:32:07,590 --> 00:32:09,689 I have written data there 828 00:32:09,690 --> 00:32:12,359 only once, very covertly, 829 00:32:12,360 --> 00:32:13,689 and nothing happens. 830 00:32:13,690 --> 00:32:15,689 So most likely this this is the wrong 831 00:32:15,690 --> 00:32:16,690 part. 832 00:32:18,060 --> 00:32:19,919 What is interesting is that it has the 833 00:32:19,920 --> 00:32:22,079 same structure as the runtime 834 00:32:22,080 --> 00:32:24,299 firmware and but 835 00:32:24,300 --> 00:32:26,700 with more complex initialization. 836 00:32:28,200 --> 00:32:30,539 And it implements only 837 00:32:30,540 --> 00:32:32,430 a small request, zero, 838 00:32:33,450 --> 00:32:35,999 which which 839 00:32:36,000 --> 00:32:38,489 verifies the firmware, 840 00:32:38,490 --> 00:32:40,379 which is loaded by the BIOS. 841 00:32:40,380 --> 00:32:42,489 So while the computer is starting, 842 00:32:42,490 --> 00:32:44,819 most likely that this gets executed 843 00:32:44,820 --> 00:32:47,669 first, then it waits for this request 844 00:32:47,670 --> 00:32:49,769 and BIOS will load 845 00:32:49,770 --> 00:32:51,569 Biosphere to load the firmware from the 846 00:32:51,570 --> 00:32:54,059 BIOS image to the 847 00:32:54,060 --> 00:32:56,339 to the second 64 with 64 848 00:32:56,340 --> 00:32:58,589 kilobytes then invokes this 849 00:32:58,590 --> 00:33:01,049 and the 850 00:33:01,050 --> 00:33:03,779 firmware in the in the Romeoville 851 00:33:03,780 --> 00:33:05,579 will ultimately figure 852 00:33:06,840 --> 00:33:07,840 this kind of. 853 00:33:10,350 --> 00:33:12,509 So and if we can analyze 854 00:33:12,510 --> 00:33:14,609 it, we can also see what went wrong with 855 00:33:14,610 --> 00:33:17,249 this 256 856 00:33:17,250 --> 00:33:18,250 byte of said. 857 00:33:19,420 --> 00:33:21,459 And, of course, what kind of issues is. 858 00:33:22,750 --> 00:33:24,519 So this function. 859 00:33:26,210 --> 00:33:28,319 If you look, it is not one function, 860 00:33:28,320 --> 00:33:31,099 in fact, it's much more than one function 861 00:33:31,100 --> 00:33:33,529 and there are some strange constants 862 00:33:33,530 --> 00:33:34,530 like this, 863 00:33:35,750 --> 00:33:38,539 anyone knows what these concerns 864 00:33:38,540 --> 00:33:39,540 are. 865 00:33:40,660 --> 00:33:43,509 I didn't know either, so I had to 866 00:33:43,510 --> 00:33:45,999 help, and 867 00:33:46,000 --> 00:33:48,129 if you look, there is another 868 00:33:48,130 --> 00:33:50,259 clue that essential one or 869 00:33:50,260 --> 00:33:51,260 each Mac. 870 00:33:52,680 --> 00:33:54,989 And I had 871 00:33:54,990 --> 00:33:57,149 no difficulties because I didn't have any 872 00:33:57,150 --> 00:33:59,369 properties assembler, so 873 00:33:59,370 --> 00:34:01,529 how to make sense of these big 874 00:34:01,530 --> 00:34:03,629 functions and well, and I 875 00:34:03,630 --> 00:34:06,599 found out I can use something which is 876 00:34:06,600 --> 00:34:07,739 obviously known. 877 00:34:07,740 --> 00:34:10,468 It's called KYAM, so 878 00:34:10,469 --> 00:34:13,619 it has support for you. 879 00:34:13,620 --> 00:34:16,229 And I had it a little bit to 880 00:34:16,230 --> 00:34:18,749 have support for this memory layout, 881 00:34:18,750 --> 00:34:20,939 which was like they will change to 882 00:34:20,940 --> 00:34:22,079 one file. 883 00:34:22,080 --> 00:34:24,209 So I allowed it in the QM or the wrong 884 00:34:24,210 --> 00:34:26,968 part Forever and Rampa forever. 885 00:34:26,969 --> 00:34:28,169 And I also 886 00:34:29,330 --> 00:34:32,009 I started UQM until executing 887 00:34:32,010 --> 00:34:34,109 the authentification function. 888 00:34:35,480 --> 00:34:37,669 And I was able to debunk it with the 889 00:34:37,670 --> 00:34:40,009 GDB and to see what's really 890 00:34:40,010 --> 00:34:41,479 happening. 891 00:34:41,480 --> 00:34:43,789 So now what I have found 892 00:34:43,790 --> 00:34:46,249 out is here, so 893 00:34:46,250 --> 00:34:48,408 the authentification function. 894 00:34:48,409 --> 00:34:50,928 It loads the data from the 895 00:34:50,929 --> 00:34:53,029 film where it 896 00:34:53,030 --> 00:34:55,158 flashes the DataCash is computing's the 897 00:34:55,159 --> 00:34:57,619 hash function flashes DataCash 898 00:34:57,620 --> 00:34:59,749 is again and 899 00:34:59,750 --> 00:35:00,649 then it checks. 900 00:35:00,650 --> 00:35:02,959 If the hash is matching 901 00:35:02,960 --> 00:35:05,280 in the film, in the film header. 902 00:35:06,380 --> 00:35:08,569 Here it is using the Konstanz 903 00:35:08,570 --> 00:35:09,499 Time algorithm. 904 00:35:09,500 --> 00:35:11,359 So it means if the hash is different, you 905 00:35:11,360 --> 00:35:13,519 cannot use the timing attack as 906 00:35:13,520 --> 00:35:15,179 it was possible, I believe, on the 907 00:35:15,180 --> 00:35:17,599 Nintendo Wii or some something 908 00:35:17,600 --> 00:35:18,499 like this. 909 00:35:18,500 --> 00:35:20,389 So, so far so good. 910 00:35:20,390 --> 00:35:23,419 It's also the protection 911 00:35:23,420 --> 00:35:24,379 registers. 912 00:35:24,380 --> 00:35:27,349 And here is the problem, because 913 00:35:27,350 --> 00:35:29,749 the size of the firmware does not include 914 00:35:29,750 --> 00:35:32,029 the header. So they thought 915 00:35:32,030 --> 00:35:34,099 it's included, but it was 916 00:35:34,100 --> 00:35:36,259 not. And that this explains why there 917 00:35:36,260 --> 00:35:38,899 is these are 256 918 00:35:38,900 --> 00:35:41,059 bytes gap on the part which should 919 00:35:41,060 --> 00:35:42,710 be covered, but it is not. 920 00:35:44,180 --> 00:35:45,379 And it changes. 921 00:35:45,380 --> 00:35:48,259 Also the research director of the 922 00:35:48,260 --> 00:35:50,209 of the eleven thirty two. 923 00:35:50,210 --> 00:35:52,549 So next time the 924 00:35:52,550 --> 00:35:55,099 room is not executed anymore and 925 00:35:55,100 --> 00:35:57,709 the often difficult firmware 926 00:35:57,710 --> 00:35:59,809 is run and 927 00:35:59,810 --> 00:36:01,969 in the end it signals back 928 00:36:01,970 --> 00:36:03,650 the results to the bios. 929 00:36:05,550 --> 00:36:07,839 So how it looks with the 930 00:36:07,840 --> 00:36:09,929 header some, so 931 00:36:09,930 --> 00:36:12,299 it is not a check, Sombat Ash 932 00:36:12,300 --> 00:36:14,459 and debugging 933 00:36:14,460 --> 00:36:16,619 helped and this 934 00:36:16,620 --> 00:36:18,749 is what I was telling you last time. 935 00:36:18,750 --> 00:36:20,909 And it is also it also 936 00:36:20,910 --> 00:36:23,309 means it is a symmetric key. 937 00:36:23,310 --> 00:36:25,439 And if it is symmetric key, 938 00:36:25,440 --> 00:36:27,060 if there is anyone with a key, 939 00:36:29,010 --> 00:36:31,109 he can or she can sign on 940 00:36:31,110 --> 00:36:32,110 firmware. 941 00:36:34,260 --> 00:36:36,509 I know that this question will 942 00:36:36,510 --> 00:36:38,339 arise, so I will answer it with the 943 00:36:38,340 --> 00:36:39,340 second. 944 00:36:48,040 --> 00:36:49,400 I do have some keys. 945 00:36:54,310 --> 00:36:55,500 Yes, OK. 946 00:37:04,650 --> 00:37:06,939 So now you can close your eyes. 947 00:37:09,540 --> 00:37:10,540 Yes. 948 00:37:14,210 --> 00:37:16,489 Yes, so who has closed the eyes? 949 00:37:16,490 --> 00:37:17,989 It's great to know. Close your eyes, 950 00:37:17,990 --> 00:37:20,119 really. I'm watching you and wait 951 00:37:20,120 --> 00:37:21,120 for the next flight. 952 00:37:22,760 --> 00:37:23,760 So 953 00:37:24,940 --> 00:37:27,379 the sights now, you can open them so 954 00:37:27,380 --> 00:37:29,659 you can actually read that it's 955 00:37:29,660 --> 00:37:30,660 called The Secret. 956 00:37:32,060 --> 00:37:34,310 So now I will press the space. 957 00:37:39,130 --> 00:37:40,819 Now, you can see that it was a little 958 00:37:40,820 --> 00:37:43,179 spoiler because the 42 959 00:37:43,180 --> 00:37:44,469 is, in fact the slight number of. 960 00:37:52,410 --> 00:37:53,909 So let's move on 961 00:37:55,290 --> 00:37:57,539 to slide number 43, there will be No 962 00:37:57,540 --> 00:37:58,540 43, 963 00:37:59,790 --> 00:38:02,789 there will be some jokes which 964 00:38:02,790 --> 00:38:04,979 are which will 965 00:38:04,980 --> 00:38:07,139 be fun, at least 966 00:38:07,140 --> 00:38:08,140 for someone. 967 00:38:09,150 --> 00:38:11,210 Is there anyone from Czech Republic 968 00:38:12,270 --> 00:38:13,739 so great. 969 00:38:13,740 --> 00:38:15,839 This is not a secret in Czech Republic 970 00:38:15,840 --> 00:38:18,569 and it is not a secret anymore here. 971 00:38:18,570 --> 00:38:20,699 So I will also skip it. 972 00:38:20,700 --> 00:38:21,700 And 973 00:38:24,000 --> 00:38:26,429 the secret, of course, remains a secret. 974 00:38:26,430 --> 00:38:27,430 So. 975 00:38:28,560 --> 00:38:30,779 But now it is time to 976 00:38:30,780 --> 00:38:33,359 write some email to Amde 977 00:38:33,360 --> 00:38:35,579 and we need to write them something. 978 00:38:35,580 --> 00:38:37,709 So this is what I have done. 979 00:38:37,710 --> 00:38:40,349 I wrote to whom it may concern. 980 00:38:41,700 --> 00:38:43,409 I have discovered a security 981 00:38:43,410 --> 00:38:45,149 vulnerability in the recent AMD 982 00:38:45,150 --> 00:38:47,189 processor, which allows arbitrary code 983 00:38:47,190 --> 00:38:49,949 execution on the system management 984 00:38:49,950 --> 00:38:52,049 unit, and I have 985 00:38:52,050 --> 00:38:53,949 a trouble to find out whom to write. 986 00:38:53,950 --> 00:38:56,129 So I decided to use LinkedIn 987 00:38:56,130 --> 00:38:58,299 to find some context to some 988 00:38:58,300 --> 00:39:00,479 sensible engineers which looked 989 00:39:00,480 --> 00:39:02,339 like they are responsible for this 990 00:39:03,450 --> 00:39:05,130 and how to support the claim. 991 00:39:06,270 --> 00:39:08,339 I changed the pink function to 992 00:39:08,340 --> 00:39:10,739 add instead of one to at 993 00:39:10,740 --> 00:39:13,739 two in hexadecimal 994 00:39:13,740 --> 00:39:15,179 and I fix the hash 995 00:39:16,440 --> 00:39:18,179 and then I send it to the Andy 996 00:39:20,460 --> 00:39:23,729 and so and now 997 00:39:23,730 --> 00:39:26,099 something about how it went. 998 00:39:26,100 --> 00:39:28,569 So I analyzed the 999 00:39:28,570 --> 00:39:30,899 during the Christmas 2013 1000 00:39:30,900 --> 00:39:33,359 while I was watching 1001 00:39:33,360 --> 00:39:35,459 Chaos Communication Congress in a little 1002 00:39:35,460 --> 00:39:37,500 window, but in the big window, the Finbar 1003 00:39:39,090 --> 00:39:41,519 and sometimes 1004 00:39:41,520 --> 00:39:44,009 later I found 1005 00:39:44,010 --> 00:39:45,779 the box I presented to you. 1006 00:39:47,250 --> 00:39:49,349 And I put 1007 00:39:49,350 --> 00:39:51,659 it return to Andy on the last days 1008 00:39:51,660 --> 00:39:53,819 of the, uh, of the 1009 00:39:53,820 --> 00:39:55,949 April and in like 1010 00:39:55,950 --> 00:39:58,769 two weeks, I received 1011 00:39:58,770 --> 00:39:59,819 a response. 1012 00:39:59,820 --> 00:40:02,069 Please, can you give us more information? 1013 00:40:02,070 --> 00:40:04,229 And so I started 1014 00:40:04,230 --> 00:40:06,299 to encrypt the communication between 1015 00:40:06,300 --> 00:40:07,440 me and Andy. 1016 00:40:08,610 --> 00:40:10,709 Uh, I've written in the detail 1017 00:40:10,710 --> 00:40:12,249 what is the problem? 1018 00:40:12,250 --> 00:40:14,789 And then in July, 1019 00:40:14,790 --> 00:40:16,440 they acknowledged the problem. 1020 00:40:17,970 --> 00:40:19,439 In the meanwhile, there was some 1021 00:40:19,440 --> 00:40:22,229 communication, and 1022 00:40:22,230 --> 00:40:24,719 in November at the end, I received 1023 00:40:24,720 --> 00:40:27,119 a list of version which 1024 00:40:27,120 --> 00:40:28,509 will contain the fix. 1025 00:40:28,510 --> 00:40:31,199 So now it is fixed and 1026 00:40:31,200 --> 00:40:33,269 the conclusion is that they 1027 00:40:33,270 --> 00:40:35,219 responded like to the next day and 1028 00:40:35,220 --> 00:40:36,889 because they are on another continent 1029 00:40:36,890 --> 00:40:39,119 than me. So it was fun, 1030 00:40:39,120 --> 00:40:40,049 too. 1031 00:40:40,050 --> 00:40:42,269 And fast. So fast to speak 1032 00:40:42,270 --> 00:40:43,270 with them. 1033 00:40:43,770 --> 00:40:45,689 And that's it. 1034 00:40:45,690 --> 00:40:48,419 And yes, the fixed problems, 1035 00:40:48,420 --> 00:40:50,489 both issues are now 1036 00:40:50,490 --> 00:40:51,490 fixed. 1037 00:40:52,110 --> 00:40:54,059 So the family is now padded. 1038 00:40:54,060 --> 00:40:56,099 So that is not a problem. 1039 00:40:56,100 --> 00:40:58,889 Again, with this with this 1040 00:40:58,890 --> 00:41:01,229 with this problem inside the 1041 00:41:01,230 --> 00:41:03,269 inside the routine, which is 1042 00:41:03,270 --> 00:41:04,829 authenticating the film where 1043 00:41:06,060 --> 00:41:08,279 the the problem with the 1044 00:41:08,280 --> 00:41:10,379 SAMU request, the function 1045 00:41:10,380 --> 00:41:12,599 I check it is also fixed. 1046 00:41:12,600 --> 00:41:14,849 And some other unrelated fix 1047 00:41:14,850 --> 00:41:17,099 to this will vulnerability's in 1048 00:41:17,100 --> 00:41:20,159 some other processes that are also fixed. 1049 00:41:20,160 --> 00:41:22,530 So now it looks 1050 00:41:25,500 --> 00:41:27,789 as you as I already told you, the 1051 00:41:27,790 --> 00:41:30,219 where is part of the amde ageism. 1052 00:41:30,220 --> 00:41:32,279 And now it 1053 00:41:32,280 --> 00:41:35,339 is time to ask your vendor 1054 00:41:35,340 --> 00:41:36,869 for updated ages. 1055 00:41:36,870 --> 00:41:37,980 And I think 1056 00:41:39,540 --> 00:41:41,759 it is a good idea to do 1057 00:41:41,760 --> 00:41:43,889 that and to support 1058 00:41:43,890 --> 00:41:45,929 to support this, because 1059 00:41:47,550 --> 00:41:49,619 it's the Bandera's which are 1060 00:41:49,620 --> 00:41:51,689 delivering the bills, bios, updates 1061 00:41:51,690 --> 00:41:53,069 to you, not the amde. 1062 00:41:53,070 --> 00:41:55,379 And this is perhaps 1063 00:41:55,380 --> 00:41:57,329 the only way to force them 1064 00:41:58,380 --> 00:42:00,509 to update. Also the all the other 1065 00:42:00,510 --> 00:42:02,669 platforms is 1066 00:42:02,670 --> 00:42:04,919 to simply bag them and ask them for 1067 00:42:04,920 --> 00:42:07,019 the fix the HSM, 1068 00:42:07,020 --> 00:42:09,179 which is here. 1069 00:42:09,180 --> 00:42:11,219 So in this table you can see the 1070 00:42:11,220 --> 00:42:14,069 protesters names which are affected by 1071 00:42:14,070 --> 00:42:15,189 these problems. 1072 00:42:15,190 --> 00:42:17,579 Also the Egis version number, 1073 00:42:17,580 --> 00:42:19,769 which you can get if you 1074 00:42:19,770 --> 00:42:21,899 search in the BIOS image for a 1075 00:42:21,900 --> 00:42:24,359 just a string, then there is this 1076 00:42:24,360 --> 00:42:26,729 thing like to begin with one 1077 00:42:26,730 --> 00:42:28,949 point one and the SAMU 1078 00:42:28,950 --> 00:42:31,379 versions which are 1079 00:42:31,380 --> 00:42:33,659 listed over 1080 00:42:33,660 --> 00:42:35,969 here in my presentation 1081 00:42:35,970 --> 00:42:38,309 in the slides, if you go back, then 1082 00:42:38,310 --> 00:42:40,579 later I use the version 1083 00:42:40,580 --> 00:42:42,959 a A which means Tanton. 1084 00:42:42,960 --> 00:42:45,059 So you will see now its version 10 1085 00:42:45,060 --> 00:42:47,999 14, which already includes the fix. 1086 00:42:48,000 --> 00:42:50,189 And I use this, 1087 00:42:51,240 --> 00:42:53,339 let's say, some nicknames 1088 00:42:53,340 --> 00:42:55,529 of the processors, but it is easy to find 1089 00:42:55,530 --> 00:42:57,989 them using Wikipedia. 1090 00:42:57,990 --> 00:42:58,990 So 1091 00:43:00,150 --> 00:43:02,249 you will find it or just ask me 1092 00:43:02,250 --> 00:43:03,899 or drop me an email if you have some 1093 00:43:03,900 --> 00:43:05,909 problems with that. 1094 00:43:05,910 --> 00:43:07,860 So thank you for the attention. 1095 00:43:15,520 --> 00:43:18,179 Rudolph agreed to a 1096 00:43:18,180 --> 00:43:19,469 Q&A session. 1097 00:43:19,470 --> 00:43:21,840 So please line up on the microphones, 1098 00:43:23,160 --> 00:43:25,409 microphone, screen and so forth. 1099 00:43:25,410 --> 00:43:26,599 I need another microphone. 1100 00:43:26,600 --> 00:43:28,799 I have my own. Yes, I know. 1101 00:43:28,800 --> 00:43:31,469 Um, so to two simple questions. 1102 00:43:31,470 --> 00:43:33,269 First of, what can you actually do from 1103 00:43:33,270 --> 00:43:35,759 the you can you read any 1104 00:43:35,760 --> 00:43:37,170 anything for memory? Can you actually 1105 00:43:38,730 --> 00:43:41,159 do anything else than just respond 1106 00:43:41,160 --> 00:43:42,160 to it? 1107 00:43:42,900 --> 00:43:45,299 Well, it was not the purpose 1108 00:43:45,300 --> 00:43:47,489 to analyze this for me. 1109 00:43:47,490 --> 00:43:49,679 I simply took 1110 00:43:49,680 --> 00:43:51,809 my journey and 1111 00:43:51,810 --> 00:43:54,149 I, I didn't want to damage my process 1112 00:43:54,150 --> 00:43:56,309 that I'm not sure if it is even possible 1113 00:43:56,310 --> 00:43:57,780 to physically damage it. 1114 00:43:59,460 --> 00:44:01,709 I don't know if that 1115 00:44:01,710 --> 00:44:03,869 if there is a name and 1116 00:44:03,870 --> 00:44:05,969 a DMA available inside this process 1117 00:44:05,970 --> 00:44:08,159 that I would bet it's in the USB three 1118 00:44:08,160 --> 00:44:11,099 controller which needs to use DMA. 1119 00:44:11,100 --> 00:44:13,169 I don't know if this processor uses the 1120 00:44:13,170 --> 00:44:14,129 DMA. 1121 00:44:14,130 --> 00:44:16,259 Um, but I forgot 1122 00:44:16,260 --> 00:44:18,689 to tell you that I have a 1123 00:44:18,690 --> 00:44:20,750 guess from Amde. 1124 00:44:21,810 --> 00:44:23,939 I mean, can most likely help me to 1125 00:44:23,940 --> 00:44:25,679 answer them. Please welcome David. 1126 00:44:26,790 --> 00:44:27,790 Hi, David. 1127 00:44:28,710 --> 00:44:29,710 Hi, everyone. 1128 00:44:33,160 --> 00:44:35,259 Yeah, with regard to 1129 00:44:35,260 --> 00:44:37,689 that specific question, the 1130 00:44:37,690 --> 00:44:39,879 SMU appears to 1131 00:44:39,880 --> 00:44:42,009 software as a PCI device, and it 1132 00:44:42,010 --> 00:44:44,289 has the same capabilities 1133 00:44:44,290 --> 00:44:45,969 that you would generally expect a PCI 1134 00:44:45,970 --> 00:44:47,439 device, which includes the DMA. 1135 00:44:48,520 --> 00:44:50,319 It has, of course, some additional 1136 00:44:50,320 --> 00:44:52,149 capabilities with regard to its specific 1137 00:44:52,150 --> 00:44:53,979 function within the FCC regarding power 1138 00:44:53,980 --> 00:44:55,209 management and things like that. 1139 00:44:55,210 --> 00:44:57,369 But yes, it is able to read 1140 00:44:57,370 --> 00:44:58,539 and write memory. 1141 00:44:58,540 --> 00:45:01,249 OK, so so the thing is, 1142 00:45:01,250 --> 00:45:03,309 how persistent is firmware 1143 00:45:03,310 --> 00:45:05,399 once a year actually puts anything in it? 1144 00:45:05,400 --> 00:45:07,029 It's basically volatile, right? 1145 00:45:07,030 --> 00:45:09,379 So if I override the the 1146 00:45:09,380 --> 00:45:12,039 like, if I'm malicious and patch 1147 00:45:12,040 --> 00:45:14,889 be the hosts firmware, 1148 00:45:14,890 --> 00:45:17,139 the bias blob to have 1149 00:45:17,140 --> 00:45:19,329 a malicious piece of code 1150 00:45:19,330 --> 00:45:21,549 in in that blob that I recalculate 1151 00:45:21,550 --> 00:45:23,649 the the checksum for that I 1152 00:45:23,650 --> 00:45:25,729 now can, since I do know that all the 1153 00:45:25,730 --> 00:45:27,789 CPUs allow me to read 1154 00:45:27,790 --> 00:45:30,069 it out and the ROM 1155 00:45:30,070 --> 00:45:33,159 doesn't change since the last time 1156 00:45:33,160 --> 00:45:35,679 I can basically just infiltrate 1157 00:45:35,680 --> 00:45:36,759 any random CPU. 1158 00:45:36,760 --> 00:45:37,760 You can die. 1159 00:45:40,260 --> 00:45:42,479 All right, I guess so your questions 1160 00:45:42,480 --> 00:45:44,339 about the window of vulnerability right 1161 00:45:44,340 --> 00:45:46,529 between tower on and when the firmware 1162 00:45:46,530 --> 00:45:48,599 was loaded? Yep, yeah, 1163 00:45:48,600 --> 00:45:49,619 that exists. 1164 00:45:50,640 --> 00:45:53,909 And that's 1165 00:45:53,910 --> 00:45:55,589 unfortunately not something that we can 1166 00:45:55,590 --> 00:45:56,699 really patch in the field. 1167 00:45:56,700 --> 00:45:58,739 I guess our response to that would be 1168 00:45:58,740 --> 00:46:01,919 that if 1169 00:46:01,920 --> 00:46:04,049 if you are able to have more trust in 1170 00:46:04,050 --> 00:46:06,179 your early BIOS code to correctly load 1171 00:46:06,180 --> 00:46:08,309 that firmware, then that will 1172 00:46:08,310 --> 00:46:09,269 help address that. 1173 00:46:09,270 --> 00:46:11,070 And so some of the technologies that 1174 00:46:12,090 --> 00:46:14,039 we are working on with our newer products 1175 00:46:14,040 --> 00:46:15,899 include things like Harbor Validated 1176 00:46:15,900 --> 00:46:18,329 Boot, where we have 1177 00:46:18,330 --> 00:46:20,279 the reference platform security 1178 00:46:20,280 --> 00:46:22,469 processor, verify 1179 00:46:22,470 --> 00:46:24,629 the integrity of that first bio spot that 1180 00:46:24,630 --> 00:46:26,369 executes so that you can have that chain 1181 00:46:26,370 --> 00:46:27,269 of trust going forward. 1182 00:46:27,270 --> 00:46:28,229 But yes, I agree. 1183 00:46:28,230 --> 00:46:29,999 There is a window here that makes sense. 1184 00:46:30,000 --> 00:46:31,000 Thanks. 1185 00:46:31,650 --> 00:46:33,869 The IOC has a question, 1186 00:46:33,870 --> 00:46:36,029 yes, thank you. The question is, what 1187 00:46:36,030 --> 00:46:38,159 is exactly the same you and the 1188 00:46:38,160 --> 00:46:40,229 Starpower Management Unit also in 1189 00:46:40,230 --> 00:46:42,269 it? Could it be used to overclock or 1190 00:46:42,270 --> 00:46:43,380 activate more cost? 1191 00:46:46,020 --> 00:46:48,449 Well, I think 1192 00:46:48,450 --> 00:46:50,729 it is used for the power management stuff 1193 00:46:50,730 --> 00:46:52,440 like the 1194 00:46:54,510 --> 00:46:57,059 dynamic or adaptive power management. 1195 00:46:57,060 --> 00:46:59,729 I don't know if you can overclock 1196 00:46:59,730 --> 00:47:01,859 way more or if you can unlock 1197 00:47:01,860 --> 00:47:04,109 some other, cause that's I don't 1198 00:47:04,110 --> 00:47:06,479 think they will though 1199 00:47:06,480 --> 00:47:07,109 this to us. 1200 00:47:07,110 --> 00:47:08,880 So I don't know. 1201 00:47:10,470 --> 00:47:12,209 Yeah. I would say go and have fun. 1202 00:47:12,210 --> 00:47:13,939 Let me know what you find. 1203 00:47:13,940 --> 00:47:14,940 OK, 1204 00:47:16,320 --> 00:47:17,320 microphone for 1205 00:47:18,960 --> 00:47:20,549 thanks for your talk. 1206 00:47:20,550 --> 00:47:21,699 Just a quick question. 1207 00:47:21,700 --> 00:47:24,389 So currently the BIOS, 1208 00:47:24,390 --> 00:47:26,759 the actual BIOS, image boards that 1209 00:47:26,760 --> 00:47:29,249 submit their request to verify 1210 00:47:29,250 --> 00:47:30,689 the bisymmetry. 1211 00:47:30,690 --> 00:47:31,769 Yes. 1212 00:47:31,770 --> 00:47:34,079 So you could in fact just remove 1213 00:47:34,080 --> 00:47:35,969 that from the bios, assuming you could be 1214 00:47:35,970 --> 00:47:38,219 complete by checksum and. 1215 00:47:38,220 --> 00:47:40,169 Well, I passed the whole I'm not even 1216 00:47:40,170 --> 00:47:42,239 sure the computer can run without 1217 00:47:42,240 --> 00:47:43,240 that, so. 1218 00:47:44,660 --> 00:47:46,849 I think you have to you have to load 1219 00:47:46,850 --> 00:47:47,899 it. 1220 00:47:47,900 --> 00:47:49,819 I mean, bypassing the semi checks, I'm 1221 00:47:49,820 --> 00:47:52,189 not the simulating, 1222 00:47:52,190 --> 00:47:54,289 is it? Because if if it's 1223 00:47:54,290 --> 00:47:55,909 the buyers who started it, the main CPU 1224 00:47:55,910 --> 00:47:57,079 started first. 1225 00:47:57,080 --> 00:47:58,129 I'm sorry, I can't hear you. 1226 00:47:58,130 --> 00:48:00,439 Very sorry if the main CPU started 1227 00:48:00,440 --> 00:48:02,599 first and then it loads 1228 00:48:02,600 --> 00:48:04,789 the SMU image and 1229 00:48:04,790 --> 00:48:07,069 then it calls something to verify 1230 00:48:07,070 --> 00:48:09,519 the BIOS image was loaded correctly by 1231 00:48:09,520 --> 00:48:10,999 this image. Must have been already loaded 1232 00:48:11,000 --> 00:48:12,589 right. Oh am I getting it. 1233 00:48:12,590 --> 00:48:14,959 So the sequence is that the 1234 00:48:14,960 --> 00:48:17,359 main CPU except the six starts 1235 00:48:17,360 --> 00:48:19,499 to run with the and the 1236 00:48:19,500 --> 00:48:22,759 SMU and maybe the same moment 1237 00:48:22,760 --> 00:48:24,709 is running also, but it is running the 1238 00:48:24,710 --> 00:48:27,379 wrong firmware 1239 00:48:27,380 --> 00:48:30,829 and well when the boss 1240 00:48:30,830 --> 00:48:33,319 is doing its stuff, it will load 1241 00:48:33,320 --> 00:48:35,419 the image to the rim 1242 00:48:35,420 --> 00:48:37,729 of of the of the same unit, 1243 00:48:37,730 --> 00:48:39,949 the second 64 kilobytes, and 1244 00:48:39,950 --> 00:48:42,619 then it will invoke the authentification 1245 00:48:42,620 --> 00:48:43,789 function. 1246 00:48:43,790 --> 00:48:45,919 And unfortunately I don't 1247 00:48:45,920 --> 00:48:48,049 know any details what could happen 1248 00:48:48,050 --> 00:48:50,329 if this is wrong or if you don't do that. 1249 00:48:50,330 --> 00:48:52,949 So again, maybe David will. 1250 00:48:52,950 --> 00:48:54,529 Yeah, I think I may have created the 1251 00:48:54,530 --> 00:48:56,839 confusion, so I may try to trust that 1252 00:48:56,840 --> 00:48:58,999 the statement about verifying the BIOS 1253 00:48:59,000 --> 00:49:01,279 code, which loads the firmware, is 1254 00:49:01,280 --> 00:49:03,619 a statement with regard to 1255 00:49:03,620 --> 00:49:05,089 newer products, starting with the 1256 00:49:05,090 --> 00:49:06,859 Mullan's product that include a platform 1257 00:49:06,860 --> 00:49:08,449 security processor where the platform 1258 00:49:08,450 --> 00:49:09,979 security processor is the first 1259 00:49:09,980 --> 00:49:11,539 microcontroller that comes up out of 1260 00:49:11,540 --> 00:49:13,639 reset for the older parts that do not 1261 00:49:13,640 --> 00:49:14,779 have that. 1262 00:49:14,780 --> 00:49:16,819 What Rudolf just said was correct. 1263 00:49:16,820 --> 00:49:18,409 OK, thanks. 1264 00:49:18,410 --> 00:49:19,889 Microphone two. 1265 00:49:19,890 --> 00:49:21,949 OK. Um, 1266 00:49:21,950 --> 00:49:24,439 you notice that now we should 1267 00:49:24,440 --> 00:49:26,689 rely on the mainboard when 1268 00:49:26,690 --> 00:49:28,939 those to supply bios 1269 00:49:28,940 --> 00:49:31,459 updates containing the patch 1270 00:49:31,460 --> 00:49:32,460 firmware blob's. 1271 00:49:34,970 --> 00:49:37,459 From my experience with Intel members, 1272 00:49:37,460 --> 00:49:40,159 I have very little trust 1273 00:49:40,160 --> 00:49:42,319 in the mainboard vendors to 1274 00:49:42,320 --> 00:49:44,419 do proper H making in that 1275 00:49:44,420 --> 00:49:45,649 BYLES update. 1276 00:49:45,650 --> 00:49:47,749 So do you see any 1277 00:49:47,750 --> 00:49:50,029 chance and just swapping 1278 00:49:50,030 --> 00:49:52,609 those blocks and existing BIOS 1279 00:49:52,610 --> 00:49:54,739 updates? I mean, I know 1280 00:49:54,740 --> 00:49:57,289 for Intel that it's definitely possible 1281 00:49:57,290 --> 00:49:59,539 to patch files updates which are 1282 00:49:59,540 --> 00:50:01,969 not properly secured. 1283 00:50:01,970 --> 00:50:04,099 I think you 1284 00:50:04,100 --> 00:50:06,379 will it will face the problems with some 1285 00:50:06,380 --> 00:50:08,569 other bios checksums in 1286 00:50:08,570 --> 00:50:10,609 the end. And I would recommend you to use 1287 00:50:10,610 --> 00:50:13,099 the photo booth and because 1288 00:50:13,100 --> 00:50:15,109 that's the fix for this problem. 1289 00:50:15,110 --> 00:50:17,269 Also the 1290 00:50:17,270 --> 00:50:19,099 other might work as well. 1291 00:50:19,100 --> 00:50:20,100 Good point. 1292 00:50:20,690 --> 00:50:23,689 Thank you, Michael, for one. 1293 00:50:23,690 --> 00:50:24,709 Hi. 1294 00:50:24,710 --> 00:50:26,929 I was just wondering, you have heard from 1295 00:50:26,930 --> 00:50:29,059 companies like Facebook, Microsoft 1296 00:50:29,060 --> 00:50:31,369 and others that they put out 1297 00:50:31,370 --> 00:50:33,979 pretty huge bounties for security, 1298 00:50:33,980 --> 00:50:36,919 vulnerable vulnerabilities found. 1299 00:50:36,920 --> 00:50:39,169 So did Emdur reward 1300 00:50:39,170 --> 00:50:41,060 you for basically doing their job? 1301 00:50:43,400 --> 00:50:45,629 You know, and 1302 00:50:45,630 --> 00:50:47,589 why are you talking about. 1303 00:50:47,590 --> 00:50:48,590 Well, 1304 00:50:50,430 --> 00:50:52,729 well, of course, I didn't 1305 00:50:52,730 --> 00:50:54,829 want to sell this 1306 00:50:54,830 --> 00:50:57,019 because I thought if maybe 1307 00:50:57,020 --> 00:50:59,329 some other people know about 1308 00:50:59,330 --> 00:51:02,329 this. So let's make it public to balance 1309 00:51:02,330 --> 00:51:04,639 balance out the world, 1310 00:51:04,640 --> 00:51:05,599 our world. 1311 00:51:05,600 --> 00:51:07,669 And yes, it cost me 1312 00:51:07,670 --> 00:51:09,649 some money to get, in fact, here and 1313 00:51:09,650 --> 00:51:11,029 speak about you about this. 1314 00:51:11,030 --> 00:51:13,249 So I'm a little bit at the minus, but 1315 00:51:13,250 --> 00:51:14,989 I'm enjoying the Congress very much. 1316 00:51:14,990 --> 00:51:17,599 So it's OK for 1317 00:51:17,600 --> 00:51:18,600 you. 1318 00:51:24,230 --> 00:51:27,529 Number two, yes, thank you for your talk, 1319 00:51:27,530 --> 00:51:29,989 did AMD actually change the 1320 00:51:29,990 --> 00:51:32,380 salt they use for the shamokin? 1321 00:51:33,740 --> 00:51:36,049 Um, I think no, 1322 00:51:36,050 --> 00:51:38,059 it's still the same scheme. 1323 00:51:38,060 --> 00:51:40,489 So basically, if you can if you 1324 00:51:40,490 --> 00:51:42,619 take the same steps that you did, you 1325 00:51:42,620 --> 00:51:44,869 can just find the salt and 1326 00:51:44,870 --> 00:51:46,489 write your own firmware for it. 1327 00:51:46,490 --> 00:51:48,679 Yes. It's in general, it is possible that 1328 00:51:48,680 --> 00:51:50,779 there might be a ways to put 1329 00:51:50,780 --> 00:51:53,279 that to the new keys or the new salts. 1330 00:51:53,280 --> 00:51:55,459 Yes, but if they would, then 1331 00:51:55,460 --> 00:51:57,769 these would be supplied and bios updates 1332 00:51:57,770 --> 00:51:59,779 and you can just extract the new seats or 1333 00:51:59,780 --> 00:52:00,139 the new. 1334 00:52:00,140 --> 00:52:02,239 Yes, it's it's a 1335 00:52:02,240 --> 00:52:03,439 fairly good game. 1336 00:52:03,440 --> 00:52:06,469 Maybe they would sell something. 1337 00:52:06,470 --> 00:52:07,939 Right. 1338 00:52:07,940 --> 00:52:10,249 So obviously the fix, it was released 1339 00:52:10,250 --> 00:52:11,329 as new firmware. 1340 00:52:11,330 --> 00:52:13,609 And so if you take that out 1341 00:52:13,610 --> 00:52:15,239 and you write your own thing, they get 1342 00:52:15,240 --> 00:52:16,789 sort of before that or something like 1343 00:52:16,790 --> 00:52:19,039 that, then you're 1344 00:52:19,040 --> 00:52:20,929 running essentially with the same device 1345 00:52:20,930 --> 00:52:22,309 that Rudolph did. 1346 00:52:22,310 --> 00:52:24,529 Uh, the 1347 00:52:24,530 --> 00:52:27,409 the key or salt in question is 1348 00:52:27,410 --> 00:52:29,389 hard coded into the silicon itself. 1349 00:52:29,390 --> 00:52:31,819 So it's not something that unfortunately 1350 00:52:31,820 --> 00:52:33,149 can be changed. 1351 00:52:33,150 --> 00:52:34,150 OK, thanks. 1352 00:52:39,360 --> 00:52:40,360 Number two, 1353 00:52:41,940 --> 00:52:43,529 the first part of my question you already 1354 00:52:43,530 --> 00:52:45,539 answered, because it was just that 1355 00:52:45,540 --> 00:52:47,789 question, so after 1356 00:52:47,790 --> 00:52:49,709 applying the new firmware, 1357 00:52:51,060 --> 00:52:53,879 new vulnerabilities, 1358 00:52:53,880 --> 00:52:56,159 not withstanding the like 1359 00:52:56,160 --> 00:52:58,589 the Sam used, then safe 1360 00:52:58,590 --> 00:52:59,590 like. 1361 00:53:00,710 --> 00:53:02,809 Yes, so with 1362 00:53:02,810 --> 00:53:05,269 this fix, it's OK now because, 1363 00:53:05,270 --> 00:53:06,949 yes, the window is closed, you cannot 1364 00:53:06,950 --> 00:53:09,559 access the memory anymore and 1365 00:53:09,560 --> 00:53:11,809 you cannot load your own code into 1366 00:53:11,810 --> 00:53:12,829 it anymore. 1367 00:53:12,830 --> 00:53:15,499 And as long as you have the bias blob 1368 00:53:15,500 --> 00:53:16,699 in the chip, it's OK. 1369 00:53:18,190 --> 00:53:20,109 As far as we know, unless I find 1370 00:53:20,110 --> 00:53:21,110 something else. 1371 00:53:22,000 --> 00:53:23,000 Thanks. 1372 00:53:23,450 --> 00:53:26,029 And if you do I to say 1373 00:53:26,030 --> 00:53:28,339 since Rudolph's 1374 00:53:28,340 --> 00:53:30,769 encounter, where he had trouble 1375 00:53:30,770 --> 00:53:32,359 finding someone to talk to at our 1376 00:53:32,360 --> 00:53:34,849 company, we have set up a new email alias 1377 00:53:34,850 --> 00:53:35,759 that's listed on there. 1378 00:53:35,760 --> 00:53:38,179 So if if you do have time to experiment 1379 00:53:38,180 --> 00:53:39,829 and you find anything, we'd love to hear 1380 00:53:39,830 --> 00:53:41,329 about it. So please email us. 1381 00:53:43,410 --> 00:53:45,619 So thanks to Rudolph and 1382 00:53:45,620 --> 00:53:48,209 funding this background make us all safer 1383 00:53:48,210 --> 00:53:50,159 and go for the more.